CertMate CertMate / Tools

NIS2 TLS Readiness Check

An interactive checklist that maps your TLS / cert posture to NIS2 Art. 21(2)(h) and Italian D.Lgs. 138/2024.

Score
0%

NIS2 Art. 21(2)(h) — Cryptography

  • 1.1

    All public-facing services accept TLS 1.2+ only, with TLS 1.3 enabled and preferred.

  • 1.2

    TLS 1.0 and 1.1 disabled on every internet-exposed endpoint.

  • 1.3

    Legacy cipher suites (RC4, 3DES, NULL, EXPORT) disabled.

  • 1.4

    Full certificate chain served (no client-side AIA chasing required).

  • 1.5

    HSTS enabled on all sites, with max-age ≥ 31536000.

Italian ACN det. 379907/2025 — Inventory & lifecycle

  • 2.1

    Centralized inventory of public certificates with expiry tracking.

  • 2.2

    Automatic expiry alerts at T-30 and T-7 days.

  • 2.3

    Documented renewal procedure (who, how, which CA).

  • 2.4

    Documented fast-revocation procedure, tested in the last 12 months.

NIS2 Art. 23 — Incident reporting

  • 3.1

    PKI incident runbook for ACN notification (24h early warning, 72h notification, 1-month final report).

  • 3.2

    Emergency contacts for CA / registrar documented and reachable 24×7.

  • 3.3

    Private-key rotation procedure tested for compromise scenarios.

DORA / eIDAS — Resilience & qualified

  • 4.1

    Documented encryption policy (data at rest / in transit / in use) aligned to RTS 2024/1774 art. 6.

  • 4.2

    For PSD2 / eIDAS Art. 45a-targeted services: QWAC from a qualified TSP.

  • 4.3

    At least one secondary CA fallback for public certificates (multi-CA).

References